IoT Security: Down to Fundamental and Up to C-Level

A new approach is needed to address these concerns and protect these devices and should include:

Defending the non-volatile memory.

Controlling write/read attempts, independent of the host CPU or OS.

Ensuring a secured channel for content updates.

Deploying a solution that is agnostic to the CPU, OS and memory brands.

Creating a management platform that is able to securely monitor updates.

To create this breakthrough in security, organizations must understand security technologies and the gaps that keep CIOs and CEOs awake at night. Understanding the business needs of enterprises
and companies will lead to the development of the technology from the embedded devices to the management platform and create tools to provide information consumed by many key players from IT
managers up to C-level executives.

Focusing the efforts on defending the non-volatile memory is the outcome of the fact that the “holy grail” mentioned above remains the main target for attackers. Attackers want their attacks to
be persistent, to stay in control of devices and networks, and to easily be hidden. They also want to easily manage their future attacks.

If an authorized party can control the write and read lines, it avoids any capability to manipulate the data or the code stored inside the memory device. A software-only security solution, even
if very sophisticated, trying to overcome the security gap can be compared to Bobby Fisher trying to win a basketball game. CISOs need to do more than apply common methods to protect content or
the firmware through encryption for example, as encryption cannot protect against attempts to destroy the data.

What is needed is a truly innovative security approach process in which various components run in the memory itself while the management platform runs in the company’s secured area, taking
advantage of its full capabilities. Each flash-enabled device self-registers to the management platform during its first operation using a unique un-cloned key. Thus, if even one end-device (or
many) is breached—a huge task by itself—there is no impact on other devices, which remain secure.

This solution should protect the root of trust between the cloud and the device, from provisioning time throughout the device’s entire lifecycle and after, ensuring that only an authorized entity
can update and change the device’s critical elements.

It’s important that any security protecting IoT devices from embedded to cloud contain the following features:

Protecting endpoints with limited resources

Interfacing to external management systems

Securing and validating new content, including firmware, data and software

Fully backward compatible

Providing ironclad security

No latency

Working with all CPUs and all OSs, and CPU agnostic

Protecting CPU “takeover”

Securing FOTA updates

Protecting systems from reverse engineering

If organizations focus on protecting the persistent memory, recent famous attacks could have most likely been prevented. If the device’s flash memory was protected, security flaws like VPNFilter
and Mirai would not exist. And these security flaws are damaging to organizations with IoT devices. For example, the Mirai malware changed code in security cameras, routers and other sorts of
connected devices, turning them into bots in a botnet that was later utilized in attacking Amazon, Twitter, Spotify, DYN and many others. There’s also an issue with security flaws such as
Meltdown and Spectre, as these vulnerabilities demonstrate a fundamental flaw with CPU design. While chips vendors have sent software patches to rectify the security issue, these patches
will have limited results against current and future breaches resulting from internal design flaws, coding errors and external hacking, all of which still have huge implications for a number of
connected devices from the medical field to smart cities. If the firmware of the said routers or cameras had security built in or on top of the persistent memory, then the content could not
be changed and could only be updated and managed by the organization’s owner.

Organizations need an end-to-end, embedded-to-cloud solution for managing, protecting and firmly securing IoT and connected edge devices, an approach that prevents all attack vectors from
overwriting, modification, manipulation, and erasure of memory content. Until then, we’ll never find the “holy grail” of cybersecurity protection.

=============

NanoLock Securityis an Israeli
start-up with an innovative, out-of-the-box approach and technology in the arena of managing and securing connected and IoT devices. NanoLock has offices in New York, Israel and Tokyo.